Details
-
New Feature
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
3.3.2
-
None
-
Server: MariaDB Community 10.11.6 LTS - O.S: Ubuntu 22.04
Client: MariaDB Connector Java v3.3.2
Description
During authentication, even if a user was not created with "REQUIRE X509" keywords, the 2-way SSL authentication using client certificates is attempted nonetheless if:
- the client has got a client certificate set with the system property javax.net.ssl.keyStore AND
- the client certificate was issued by a CA trusted by the MariaDB server.
If the attempt fails, as it will if the system keyStore was set for reasons other than the authentication with MariaDB server, it produces an handshake failure, resulting in the authentication being aborted, thus not being able to authenticate using native password.
In recent versions of MySQL Connector (8.0.22+), a workaround for this issue was introduced with the client connection property fallbackToSystemKeyStore (and fallbackToSystemTrustStore). See also this MySQL bug.
javax.net.ssl|DEBUG|0A|Thread-0|2024-03-21 15:17:30.603 CET|CertificateRequest.java:979|Consuming CertificateRequest handshake message ( |
"CertificateRequest": { |
"certificate_request_context": "", |
[...]
|
javax.net.ssl|DEBUG|0A|Thread-0|2024-03-21 15:17:30.936 CET|Finished.java:673|Produced client Finished handshake message ( |
"Finished": { |
"verify data": { |
0000: 88 EC 90 11 87 1E 8D 5B EA 74 7F 94 E6 A8 24 7D .......[.t....$. |
0010: 08 24 27 37 08 12 7D 9C 28 4F FB 28 9C 10 5F EC .$'7....(O.(.._. |
0020: 14 A4 8F 42 89 17 6A F3 F4 92 03 0E 5F 8F DF D2 ...B..j....._... |
}'}
|
)
|
javax.net.ssl|WARNING|0A|Thread-0|2024-03-21 15:17:30.953 CET|SSLSocketImpl.java:1658|handling exception ( |
"throwable" : { |
java.net.SocketException: Broken pipe (Write failed)
|
at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
|
at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) |
at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) |
at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:271) |
Steps to reproduce:
- setup server with an ssl certificate issued by a CA
- generate a client ssl certificate issued by the same CA
- create a user without using "REQUIRE" keywords, or with "REQUIRE SSL" keyword, but not "REQUIRE X509"
- create an jdbc connection specifying as system property javax.net.ssl.keyStoreType the path to the keystore containing the client certificate
Possible workarounds:
- unset system property javax.net.ssl.keyStoreType -> not feasible if client certificate authentication must be used in other scopes by the same application
- use a different CA certificate for the server or the client certificate -> works, but it is a restriction
Thanks in advance for looking at this.